The South Carolina Department of Health and Human Services (SCDHHS) discovered a malicious insider data security breach in April 2012. Former employee Christopher Lykes Jr. was arrested on April 19, 2012 after months of allegedly compiling 228,435 personal records into 17 spreadsheets and emailing them to his personal email account. He is being charged with five counts of violating medical confidentiality and one count of disclosure of confidential information.
While Lykes was an authorized user with legitimate access to the records, he did not have access to take the Personally Identifiable Information (PII) outside of the SCDHHS. Of the records stolen, approximately 22,600 included various medical identification numbers that were linked to Social Security Numbers. All stolen records included other PII such as home addresses, birthdays, contact information, etc.
In response to the incident, the SCDHHS is offering affected beneficiaries a year of credit / identity protection services. They have also hired a third party to conduct a data and information technology risk assessments on their Information Technology (IT) system. The SCDHHS also appears to be (at least partially) transferring their IT security risks since they have purchased an identity theft insurance policy since the breach occurred.
Analysis:
This breach was allowed to occur because the SCDHHS apparently had no Data Loss Prevention (DLP) system in place to either stop Lykes’ data theft, or to at least alert system administrators of his suspicious activity. The security breach was only discovered after SCDHHS higher-ups were tipped about slow response times that service providers were having in their dealings with Lykes. A subsequent investigation by the SCDHHS uncovered the full extent of the malicious insider data breach.
A DLP system is an IT security system with the goal of preventing accidental or malicious data leakages, particularly leakages of sensitive information. Although DLP systems employ many data-analysis and data-scanning methods, their basic operation involves examining network packets, stored files, and in-use data to ensure that information is being treated appropriately according to organization policies and rules. DLP systems will typically first attempt to discover all of the sensitive information that an org. is holding. Once discovered, the DLP system will identify the all of the locations where the sensitive information exists, then monitor and control its usage. Other security methods that a DLP system may incorporate include restricting the applications that a user can execute, requiring permission in order for users to send data outside of the org., matching data signatures, modeling user behavior, setting different sensitivity / security levels for data, watermarking documents, etc.
In the case of SCDHHS, the data theft that Lykes executed could have been prevented or detected earlier than it was by a DLP system. SCDHHS could have had a DLP system in place that restricted all externally flowing (egress) data, requiring the user to have permission from a system admin. to send data externally. Alternatively, the system could simply forbid external data transfers altogether. The system would have likely had data-scanning technology to look for anything that appeared to be PII within messages that Lykes was sending outside of SCDHHS, including looking for data signatures and / or watermarks. When the DLP system would have detected violations in the activities that Lykes was engaging in, the system could have either dropped and logged Lykes’ communication attempts, or alerted a system admin. of Lykes’ suspicious activity; thus averting or reducing the data breach(es).
While DLP systems are by no means foolproof, having one in place would have likely been more beneficial than not for SCDHHS. Aside from potentially averting or limiting losses, a DLP system may also serve to afford an org. some legal protections. In cases where security breaches result in lawsuits, the fact that an org. had a DLP system in place at the time of the breach may be enough to prove that they were not acting negligently.
The South Carolina Department of Health and Human Services (SCDHHS) discovered a malicious insider data security breach in April 2012. Former employee Christopher Lykes Jr. was arrested on April 19, 2012 after months of allegedly compiling 228,435 personal records into 17 spreadsheets and emailing them to his personal email account. He is being charged with five counts of violating medical confidentiality and one count of disclosure of confidential information.
While Lykes was an authorized user with legitimate access to the records, he did not have access to take the Personally Identifiable Information (PII) outside of the SCDHHS. Of the records stolen, approximately 22,600 included various medical identification numbers that were linked to Social Security Numbers. All stolen records included other PII such as home addresses, birthdays, contact information, etc.
In response to the incident, the SCDHHS is offering affected beneficiaries a year of credit / identity protection services. They have also hired a third party to conduct a data and information technology risk assessments on their Information Technology (IT) system. The SCDHHS also appears to be (at least partially) transferring their IT security risks since they have purchased an identity theft insurance policy since the breach occurred.
Analysis:
This breach was allowed to occur because the SCDHHS apparently had no Data Loss Prevention (DLP) system in place to either stop Lykes’ data theft, or to at least alert system administrators of his suspicious activity. The security breach was only discovered after SCDHHS higher-ups were tipped about slow response times that service providers were having in their dealings with Lykes. A subsequent investigation by the SCDHHS uncovered the full extent of the malicious insider data breach.
A DLP system is an IT security system with the goal of preventing accidental or malicious data leakages, particularly leakages of sensitive information. Although DLP systems employ many data-analysis and data-scanning methods, their basic operation involves examining network packets, stored files, and in-use data to ensure that information is being treated appropriately according to organization policies and rules. DLP systems will typically first attempt to discover all of the sensitive information that an org. is holding. Once discovered, the DLP system will identify the all of the locations where the sensitive information exists, then monitor and control its usage. Other security methods that a DLP system may incorporate include restricting the applications that a user can execute, requiring permission in order for users to send data outside of the org., matching data signatures, modeling user behavior, setting different sensitivity / security levels for data, watermarking documents, etc.
In the case of SCDHHS, the data theft that Lykes executed could have been prevented or detected earlier than it was by a DLP system. SCDHHS could have had a DLP system in place that restricted all externally flowing (egress) data, requiring the user to have permission from a system admin. to send data externally. Alternatively, the system could simply forbid external data transfers altogether. The system would have likely had data-scanning technology to look for anything that appeared to be PII within messages that Lykes was sending outside of SCDHHS, including looking for data signatures and / or watermarks. When the DLP system would have detected violations in the activities that Lykes was engaging in, the system could have either dropped and logged Lykes’ communication attempts, or alerted a system admin. of Lykes’ suspicious activity; thus averting or reducing the data breach(es).
While DLP systems are by no means foolproof, having one in place would have likely been more beneficial than not for SCDHHS. Aside from potentially averting or limiting losses, a DLP system may also serve to afford an org. some legal protections. In cases where security breaches result in lawsuits, the fact that an org. had a DLP system in place at the time of the breach may be enough to prove that they were not acting negligently.
Additional Sources of Information:
Blasco, Jorge, & Hernandez-Castro, Julio, & Tapiador, Juan, & Ribagorda, Arturo. (June 2012). Bypassing Information Leakage Protection with Trusted Applications. Computers & Security, 31 (4), 557-568.
http://www.tomsitpro.com/articles/hackers-anonymous-antisec-identity_theft-security_policy,5-48.html
http://www.darkreading.com/insider-threat/167801100/security/news/240002408/6-biggest-breaches-of-2012-so-far.html
http://www.healthcarefinancenews.com/news/top-10-data-security-breaches-2012
http://www.thestate.com/2012/04/20/2241321/personal-information-of-more-than.html